8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
8.4 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
71.8%
Cisco recently uncovered a sophisticated cyber espionage campaign, ArcaneDoor, targeting perimeter network devices used by government and critical infrastructure sectors. This campaign involves state-sponsored actors exploiting two zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) aimed primarily at espionage through intricate malware known as Line Runner and Line Dancer.
ArcaneDoor manipulates perimeter network devices, such as Cisco Adaptive Security Appliances (ASA), to reroute or monitor network traffic, providing a strategic vantage point for espionage. The investigation, spurred by vigilant customer reports early in 2024, revealed that these devices had been compromised to facilitate espionage without prior authentication, using sophisticated techniques to modify configurations and intercept data.
The attackers deployed the Line Dancer malware as an in-memory shellcode interpreter to execute arbitrary commands directly on the devices. This technique avoids leaving forensic traces and complicates detection. Line Runner, a persistent backdoor, is installed by manipulating device boot processes to survive reboots and updates, pointing to a high understanding and manipulation of Cisco ASA's operational mechanics.
Cisco has responded by releasing patches for exploited vulnerabilities and providing detailed advisories urging all users to update their devices immediately to protect against these attacks. Additionally, network administrators are advised to monitor their devices closely for signs of compromise, such as unexpected reboots or unusual outgoing network traffic.
Qualys's multifaceted approach to vulnerability management capabilities becomes particularly relevant in incidents like ArcaneDoor, where Cisco devices were compromised through sophisticated malware like Line Runner and Line Dancer. While the affected devices may not support traditional agent-based monitoring solutions due to their network-centric nature, Qualys' platform mitigates such gaps through its comprehensive suite of security solutions.
Network devices, often devoid of agent support, present significant blind spots in an organization's security posture. Qualys addresses these blind spots by combining agent-based monitoring with network scans, external scans, and passive listening technologies. This integrated approach ensures that all aspects of an organization's infrastructure are covered, from on-premises systems to cloud environments, providing a more accurate and extensive risk assessment.
Qualys has released the following QIDs to address these recent vulnerabilities:
QID | Title | Release Version | CVE ID |
---|---|---|---|
317450 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service (DoS) Vulnerability (cisco-sa-asaftd-websrvs-dos-X8gNucD2) | VULNSIGS-2.6.36-3 | CVE-2024-20353 |
317451 | Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability (cisco-sa-asaftd-persist-rce-FLsNXF4h) | VULNSIGS-2.6.36-3 | CVE-2024-20359 |
Please refer to the QID Knowledgebase for a comprehensive listing of coverage related to this vulnerability.
The ArcaneDoor campaign illustrates the need for a unified cybersecurity defense strategy leveraging agent-based and agent-less technologies. Qualys exemplifies this strategy by offering a comprehensive view of an organization's security posture, enabling timely and effective responses to known and emerging threats.
The discovery of the ArcaneDoor espionage campaign underscores the critical importance of alertness and timely response. The exploited vulnerabilities in perimeter network devices to facilitate espionage by state-sponsored actors concerning the following specific vulnerabilities, CVE-2024-20353 and CVE-2024-20359, were leveraged to deploy the malware components "Line Runner" and "Line Dancer."
Key Actions:
Given the sophistication and focus on espionage, acting swiftly to mitigate potential threats to your organization's network integrity and security is crucial.
8.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
8.4 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
71.8%